1. Technical Field
The present invention relates in general to a method and system for securing private networks. Still more particularly, the present invention relates to an improved method and system encrypting information between server and client computers in a private network.
2. Description of the Related Art
A computer network becomes disproportionately more difficult to manage as it increases in size, complexity and geographic dispersion. Management of the network involves configuration of software available on the machines or for a user in the network, coordination of access to shared resources and implementation of security measures. In addition, communication traffic on the computer network is monitored to ensure that the system is configured appropriately to reduce security risks and to improve efficiency.
Computer network security typically is implemented from the point of view that computer networks external to an enterprise are inherently untrusted and that computer networks internal to an enterprise are inherently trusted. As a result, security tends to be implemented using perimeter, or point of access, security mechanisms where communications from the external network enter into the internal network. One common way to implement connectivity with computers external to the enterprise is by encrypting and authenticating such communications using a protocol such as Secure Socket Layers (SSL). Such a system, however, does not protect against internal security breaches.
One way communications internal to an enterprise could be protected would be by encrypting internal communications using public key encryption such as used in SSL. Public key encryption uses a pair of asymmetric keys for encryption. One of these pairs is referred to as a “public” key and is shared with others, while the other key is a “private” key which is never distributed and is always kept secret. When data is encrypted using the public key, it can only be deciphered using the private key, and vise-versa (i.e., data encrypted using the private key can only be deciphered using the public key). In order to establish the secure link between two computers, one computer initiates a “handshake” with another computer to exchange public keys and establish a secure connection.
Using public key encryption on a private network presents challenges to the enterprise. First, while performing handshakes between every computer on the private network would secure the network, the security processing would result in poor performance on the network as more resources would be devoted to implementing security. A second challenge faced when confronting the first challenge, is determining which connections need to be secure in order to prevent unintentional disclosure of sensitive information. For example, an employee sending medical information to the company's medical department may want the information to be kept secret from others not in the medical department. However, the same employee sending a bulletin intended for all employees probably does not care to encrypt the information.
What is needed, therefore, is a way to seamlessly secure certain communications across a private network without overloading system resources and without making the system too complex to efficiently manage.